CVE-2008-4297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4297): Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request.
is 1.0.2 ready for stable?
Arches, please test and mark stable: =dev-util/mercurial-1.0.2 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
1.0.2 has dev-python/pygments as a dependency. Python team, are we allowed to mark this package stable?
Hello, I have filed a stablereq on dev-python/pygments-0.10 and added it as a dep for this bug. Best regards,
Thanks! amd64 stable
Created attachment 167180 [details] ppc and ppc64 test failures
Anyone else seeing test failures like this? Same for me on both ppc and ppc64
Created attachment 167191 [details] mercurial-1.0.2.ebuild Brent, it seems these are the failures from bug 231280 and introduced by 1.0.1-r3. Does it work with this ebuild?
(In reply to comment #8) > Created an attachment (id=167191) [edit] > mercurial-1.0.2.ebuild > > Brent, it seems these are the failures from bug 231280 and introduced by > 1.0.1-r3. Does it work with this ebuild? looks good on amd64/x86, no more test failures.
updated the ebuild then, I left the keywords (and lack thereof) intact.
ppc and ppc64 stable on -1.0.2 now. all tests passed fine.
Sparc stable. All tests fine, although one is skipped: Skipped test-no-symlinks: system supports symbolic links The comment is correct, so I suppose that this is expected.
alpha/ia64/x86 stable
time for GLSA decision. I'd go for a NO here since the impact is rather low IMHO.
NO, impact is limited to secret files in repository. Seriously, who puts them in a public repo anyway? :-)